search

getsentry / sentry

Developer-first error tracking and performance monitoring
https://sentry.io
Other
39.14k stars 4.2k forks source link

Open Redirect Vulnerability #28579

Closed TheAschr closed 3 years ago

TheAschr commented 3 years ago

Environment

self-hosted (onpremise deployment)

Version

21.8.0

Steps to Reproduce

  1. Deploy on-prem sentry
  2. Link a user to the deployed sentry instance at https://HOSTNAME:9000%252F@b.xy/ replacing HOSTNAME as appropriate
  3. User gets redirected to http://b.xy/
  4. Setup a website on "b.xy" that looks like Sentry with a username/password login
  5. User enters their sentry username password into malicious site compromising their account

https://cwe.mitre.org/data/definitions/601.html

Expected Result

Should not redirect user to malicious site.

Actual Result

User gets redirected to malicious site.

BYK commented 3 years ago

Are you sure this is an open-redirect issue? I tried this in my browser and it simply works for any site (including google.com). Looks like expected browser behavior to me.

TheAschr commented 3 years ago

I think you are right. I am waiting to hear back if acunetix is giving a false positive:

bitrix

BYK commented 3 years ago

I don't think this is valid at all so closing:

curl -v -L 'https://try.sentry-demo.com%252F@b.xy'
* Rebuilt URL to: https://try.sentry-demo.com%252F@b.xy/
* Could not resolve host: b.xy
* Closing connection 0
curl: (6) Could not resolve host: b.xy